FWSM software upgrade

I had a challenge in having to upgrade a pair of resilient production firewalls which were housed in the same chassis with minimal downtime. The Cisco recommended solution is potentially the best to follow. However, I went slightly off piste and came up with a solution that resulted in a sub 15 second loss of service. The FWSM has a multi partitioned flash for allowing an easy means to access the underlying maintenance code or booting different software versions. The key partitions in this scenario were cf:4 and cf:5, these are the standard operating partitions which hold the ASDM image the FOS software image (generally refered to as FLASH:). I wont go into all of the other partitions on this post. The scenario is that we have two FWSM’s located in slot 6 and 7 on a 6509E. The FWSM’s are operating in Active\Passive failover using code version 3.2. Here’s what I did:

• TFTP live config off for backup:
• copy run tftp:///configs/live-startup-config

• Shutdown the secondary FWSM Module:
• no power enable mod 7

• Create a new FWSM vlan group and associate vlan 100:
• firewall vlan-group 9 100

• Assign the new vlan group to mod 7:
• firewall module 7 vlan-group 9

• Configure the switch to boot module 7 into cf:5 rather than cf:4:
• boot device module 7 cf:5

• power on the secondary FWSM module:
• power enable mod 7

• Access the FWSM from the switch console:
• sess slot 7 proc 1

• Clear FWSM configuration in cf:5 and reboot for a factory reset:
• write erase and then reload without saving.

• Configure FWSM with basic settings:
• int vlan 100
• ip address 192.168.100.254 255.255.255.0
• namif INSIDE
• no shut
• icmp permit any inside

The FWSM only has an active interface in vlan 100 and the configured vlans on the 6509E is currently only vlan 100. In this state it is not affecting the live FWSM and or any operational changes are only to that device. It would be worthwhile noting that vlan 100 is not already an active vlan used anywhere in the configuration previously. Setup a TFTP server in VLAN 100 on the 6509E on a spare ip address in the 192.168.100.0/24 range. You should be able to ping from the FWSM to the TFTP server and from the TFTP server to the FWSM.

• TFTP the previously backed up live config onto the FWSM:
• x
• TFTP the required software image onto the FWSM:
• x
• TFTP the required ASDM version onto the FWSM:
• x
• reboot the FWSM
• x
• Remotely connect to the FWSM and very that the configuration and software has been installed:
• sess slot 7 proc 1
• show version
• Save the configuration (this is required often when code versions are updated)
• write me
• Remotely connect to the FWSM and very that the configuration and software has been installed:
• sess slot 7 proc 1

Once verified the FWSM is up then issuing a show interface will show that all of the logical vlan’s are down down. This is where I altered my plan and shutdown the primary FWSM module in slot 6. I then allocated the normal production firewall vlan-group to module 7. During this whole period I had a ping running against one of the servers in the data centre. The loss of 13 pings was not to dramatic as module 7 came in to full operation and module 6 was taken offline. I will add that make no mistake in my method above, this will clear all active sessions and connections and will require the communication between two nodes to be re-initiated. All said and done 13 seconds was far less than the 3 minutes awaiting for both FWSM’s to reboot.

The same steps were carried out on the primary FWSM and booting into the alternative flash and then carrying out an upgrade. Once completed the FWSM was brought up and before re-allocating the firewall vlan-group back to module 6 the configuration was updated to identify it as the failover secondary unit. The configuration was saved and the FWSM in slot 6 shutdown. The vlan-group’s were applied to module 6 and the FWSM was brought online.

Job Done…